Provides a web frontend with OpenID Connect authentication that can create and sign new openvpn client certificates. The client certificates and ca.crt/ca.key are stored in S3. An ovpn config is generated and offered as a download. The client crt/key can be encrypted (at rest) using AWS KMS.
| Environment Variable | Description |
|---|---|
| OAUTH2_CLIENT_ID | client id |
| OAUTH2_CLIENT_SECRET | client secret |
| OAUTH2_REDIRECT_URL | callback, e.g. http://url/callback |
| OAUTH2_URL | oidc url, e.g. https://url/oidc |
| OAUTH2_SCOPES | override oauth2 scopes |
| CSRF_KEY | 32-byte-long-auth-key |
| CLIENT_CERT_ORG | organisation |
| STORAGE_TYPE | s3 or azblob (azure blob storage), default is s3 |
| S3_BUCKET | s3 bucket where openvpn config is stored |
| S3_PREFIX | s3 prefix, e.g. openvpn |
| S3_KMS_ARN | KMS ARN to encrypt s3 objects |
| AWS_REGION | AWS Region |
| AZ_STORAGE_ACCOUNT_NAME | azure storage account name (when storage type azure) |
| AZ_STORAGE_ACCOUNT_KEY | azure storage account key. Leave empty for Managed Service Identity (MSI) (when storage type azure) |
| AZ_STORAGE_ACCOUNT_CONTAINER | azure storage account container (when storage type azure) |